Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: api-keys (3 articles)Clear

Hackers mass-exploit Gravity SMTP WordPress flaw to steal email API keys

Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.

Check
Identify WordPress sites running Gravity SMTP at version 2.1.4 or earlier, and review web server access logs for requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, which indicate attempted or successful data exposure.
Affected
WordPress sites running Gravity SMTP through 2.1.4 with email integrations configured (CVE-2026-4020); exposed API keys and OAuth tokens let attackers abuse connected email services and map the site for follow-on attacks.
Fix
Update Gravity SMTP to 2.1.5 or later, then assume compromise: rotate all API keys, secrets, and OAuth tokens set in the plugin's email connectors, and block the published attacker IPs.

Aikido shows Google API keys keep working up to 23 minutes after deletion; Google closes report as 'won't fix'

Aikido Security's Joe Leon has documented that standard Google Cloud API keys keep working for up to 23 minutes after they are deleted from the GCP console, with a median revocation window of 16 minutes. Over 10 trials across two days, the team kept sending authenticated requests at 3-5 per second; one trial saw 79% of requests succeed one minute after deletion. During this window, an attacker holding a leaked key retains full access to any enabled API on the project, including Gemini file dumps, BigQuery, and Maps. Google closed the bug report as 'won't fix.' Service-account deletions propagate in around 5 seconds; only standard API keys are slow.

Check
Review your GCP secret-rotation runbooks. Identify any service that uses standard API keys versus service accounts. Audit GCP audit logs for authenticated calls following a recent key deletion.
Affected
Any organization that uses standard Google Cloud API keys and assumes deletion provides immediate revocation. Service accounts (5-second propagation) and Gemini's newer API key format (~1 minute) not affected.
Fix
Migrate from standard API keys to service accounts where possible. Treat a deleted Google API key as live for 30 minutes during leak response. Combine deletion with key rotation.

Instructure, the company that runs Canvas for schools and universities, says hackers breached its systems

Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.

Check
If your school or organization uses Canvas, audit which API keys you have integrated with Canvas and rotate any issued in the past 6 months as a precaution.
Affected
Schools, universities, and corporate training organizations using Canvas. Student records, teacher records, course content, gradebook data, and uploaded files are all in scope until Instructure confirms otherwise. Salesforce-integrated Canvas tenants may be at higher risk - 2025's Instructure incident traced to a Salesforce compromise.
Fix
Rotate Canvas API keys, especially for downstream tools (gradebook integrations, SSO, third-party plugins). Brief students, parents, and faculty that any 'Canvas account verification' email is potentially hostile - go to canvas.instructure.com directly. Request Instructure's incident notification timeline in writing and pre-prepare your own student/parent notification template.